Is StrictHostKeyChecking=no acceptable on a MacLogin cloud Mac?

No for production workflows. Disabling host key checks removes MITM protection. Prefer distributing out-of-band fingerprints, using SSH certificates, or pinned UpdateHostKeys policies documented in your internal runbook.

Why did SSH warn me after the provider replaced the instance?

New hardware or OS reinstall generates new host keys. Remove stale lines from known_hosts or use ssh-keygen -R for the hostname and port, then re-verify the new fingerprint through an authenticated channel before accepting.

How often should we audit known_hosts for shared rental fleets?

After every maintenance window that can reimage disks, and at least every 90 days for contractors. Pair audits with SSH key rotation reviews so identity and host trust stay in sync.

SSH / VNC 2. April 2026

Erster SSH-Login Cloud Mac 2026: Host-Keys, known_hosts und Team-TOFU

MacLogin Security Team 2. April 2026 ca. 11 Min.

Engineers and team admins renting Apple Silicon Mac minis for the first time often rush past the SSH host-key prompt—and later discover conflicting entries in ~/.ssh/known_hosts when IPs are reused or disks are reimaged. This article’s conclusion: treat the first connection as a security ceremony, not a speed bump. You will get a seven-step runbook, a two-column decision matrix for strict host key checking, renewal guidance after maintenance, measurable audit cadence (including a 90-day contractor review), and FAQ aligned with multi-tenant cloud Mac operations.

Kombinieren Sie diesen Leitfaden mit Fehlerbehebung Remote-Login wenn Pakete laufen, Vertrauen aber fehlt, SSH-Schlüsselrotation und 2FA für Identität, und Bastion vs. direktes SSH wenn Fingerabdrücke pro Hop veröffentlicht werden. GUI-Teams sollten die VNC-Dokumentation parallel offen haben.

Who Needs a Formal First-SSH Trust Process

Anyone connecting to a MacLogin node—or any dedicated cloud Mac—where more than one human shares credentials over time, or where infrastructure may reprovision without a calendar invite to every developer. The pain shows up as:

Phantom MITM warnings: A teammate accepted a key on a stale IP, and your laptop now disagrees with the provider’s published fingerprint.
Automation brittleness: CI jobs embed ssh -o StrictHostKeyChecking=no “temporarily,” and the exception becomes permanent across 40+ pipelines.
Audit gaps: Regulated teams cannot prove which fingerprint was trusted on which date when an investigator asks six months later.

MacLogin note: Host keys live on the instance you rent. After disk wipe or migration, expect new keys even if the DNS name looks identical—always re-verify using an authenticated channel (ticket reply, signed internal doc, or customer portal artifact), not a third-party chat screenshot.

TOFU, MITM, and Why Cloud Rentals Amplify Confusion

SSH uses trust-on-first-use (TOFU): the client stores whatever key the server presents the first time, then warns on change. Man-in-the-middle attackers exploit rushed users who click “yes” while distracted. On cloud Mac rentals, legitimate changes mimic attacks: provider maintenance, hypervisor migration, or a teammate who reinstalled macOS to clear Xcode cruft.

Modern OpenSSH prefers ssh-ed25519 host keys; you will typically see a SHA256: fingerprint whose base64 body is 43 characters long in many default configurations—count them slowly when comparing to the wiki. Legacy RSA 3072-bit or 4096-bit host keys produce longer fingerprint strings; mixing algorithms across documentation versions is a top source of “false mismatch” tickets.

Baselines you can cite in runbooks

Budget 5–8 minutes per engineer for first-connection verification including screenshot archival.
Target 100% coverage of laptops and CI secret stores within 48 hours after any published IP or hostname migration.
Keep at least two independent sources for fingerprints (for example portal + signed PDF) when SOC2-style evidence matters.

Seven-Step First SSH Connection Runbook

Freeze the target: Record hostname, port (if not 22), and bastion path if applicable—mirror the table in Bastion vs. direktes SSH.
Fetch fingerprints first: Before typing ssh, open the internal sheet or support message that lists the expected ssh-keyscan -t ed25519 output for that fleet.
Verbose once: Run ssh -vvv user@host and capture the final host key offer; redact usernames if you paste into tickets.
Compare character by character: Do not eyeball; copy into a diff tool if needed. One transposed character means stop.
Accept and log: Only after match, answer yes; store the ticket ID referencing who approved the trust decision.
Automate the boring part: Check in a team ssh_config.d fragment with Host aliases so interns do not improvise flags.
Schedule re-validation: Add a calendar reminder for 90-day contractor access reviews and after every maintenance window described in provider status pages.

StrictHostKeyChecking: Decision Matrix

Use this when drafting Ansible variables, GitHub Actions secrets, or developer laptops. The goal is zero silent bypasses in production paths.

Scenario	Recommended setting	Rationale
Human first login to a new MacLogin instance	`ask` (default) with pre-published fingerprint	Forces conscious acceptance tied to documentation
Unattended CI runner deploying artifacts	`yes` plus pre-seeded `known_hosts` or SSH certificates	Prevents runtime MITM while allowing automation
Ephemeral lab torn down nightly	Certificate-based host auth or signed sshd keys	Avoids teaching engineers to disable checks “just for labs”
Contractor laptop you do not manage	Mandatory VPN + jump host with pinned keys	Shrinks attack surface when endpoints are unknown

Warning: Piping ssh-keyscan straight into known_hosts without verification is TOFU at network speed—fine only inside a tightly controlled bootstrap VLAN, not over the public Internet.

When Host Keys Change After Rotation or Reinstall

Run ssh-keygen -R '[host]:port' on every engineer machine and CI image, then repeat the seven-step ceremony. If you operate shared machines, announce a 24-hour coexistence window where both old and new fingerprints appear in the wiki so global teams across Hong Kong, Tokyo, and US offices can refresh without emergency pages.

Link identity rotation to this process: when you cycle user keys per MacLogin-Rotationsleitfaden, add a checkbox item for host-key verification so two unrelated changes do not land the same weekend. For fleet governance, see Mehrbenutzer-Governance if several admins can regenerate sshd keys.

Signal	Likely cause	First action
`REMOTE HOST IDENTIFICATION HAS CHANGED`	Reimage, migration, or MITM	Stop; confirm with provider before deleting old keys
Warning only on port-forwarded path	NAT hairpin or wrong jump target	Compare `ssh -G` expanded config
CI fails while humans succeed	Stale cached `known_hosts` in runner image	Rebuild image with fresh pins after verification

Host Key Trust FAQ

Can I trust DNSSEC alone? DNS layers help but do not replace host-key verification unless you operate full DANE with SSHFP records everywhere clients honor—rare in 2026 corporate Mac fleets.

What about UpdateHostKeys? Useful when servers publish multiple keys and rotate gradually; still require policy so clients do not learn rogue keys during a breach window.

Where do MacLogin customers get help? Start with MacLogin Hilfe for connectivity, then apply this checklist before opening a ticket blaming “SSH flakiness” when the session is actually failing trust.

Ready to provision a node? Compare regions on Preise, pick the lowest RTT site for your team, and bake host-key publication into the same onboarding doc you use for MacLogin Startseite deep links.

Zuerst den Mac mieten—Vertrauen vor dem zweiten Hop prüfen

Region wählen, Hilfe lesen, SSH-Host-Keys im gleichen Runbook wie User-Keys.

Pläne & Regionen Verbindungshilfe